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Abstract — A class of languages C is perfect if it is closed 
under Boolean operations and the emptiness problem is decid- 
able. Perfect language classes are the basis for the automata- 
theoretic approach to model checking: a system is correct if the 
language generated by the system is disjoint from the language 
of bad traces. Regular languages are perfect, but because the 
disjointness problem for context-free languages is undecidable, 
no class containing them can be perfect. 

In practice, verification problems for language classes that 
are not perfect are often under-approximated by checking if the 
property holds for all behaviors of the system belonging to a 
fixed subset. A general way to specify a subset of behaviors is 
by using bounded languages (languages of the form w* . . . iwj* 
for fixed words wi , . . . , Wk)- A class of languages C is perfect 
modulo bounded languages if it is closed under Boolean operations 
relative to every bounded language, and if the emptiness problem 
is decidable relative to every bounded language. 

We consider finding perfect classes of languages modulo 
bounded languages. We show that the class of languages ac- 
cepted by multi-head pushdown automata are perfect modulo 
bounded languages, and characterize the complexities of de- 
cision problems. We also show that bounded languages form 
a maximal class for which perfection is obtained. We show 
that computations of several known models of systems, such as 
recursive multi-threaded programs, recursive counter machines, 
and communicating finite-state machines can be encoded as 
multi-head pushdown automata, giving uniform and optimal 
underapproximation algorithms modulo bounded languages. 

I. Introduction 

The automata-theoretic approach to model checking linear- 
time properties formalizes the verification problem as a 
language-theoretic problem about two automata: the system 
automaton, which recognizes the set of executions of the 
system, and the property automaton, which recognizes either 
the sequences of actions satisfying the property (positive 
specification), or those violating it (negative specification). 
Given a system automaton S and a property automaton P, 
verification of positive and negative specifications reduces to 
checking L(S) C L(P) (inclusion problem), or to checking 
L(S) H L(P) = (disjointness problem) , respectively. 

Language classes effectively closed under boolean oper- 
ations and with a decidable emptiness problem are partic- 
ularly interesting for the automata-theoretic approach. For 
such classes not only the inclusion and disjointness problems 
are decidable, they also have many further advantages. For 
example, in these classes systems are closed under paral- 
lel composition by rendez-vous, properties are closed under 
boolean operations, and systems can be seen as properties, or 
vice versa, with many useful consequences for compositional 
and assume-guarantee verification techniques. For all these 
reasons, we call these classes perfect. 



The regular languages are perfect but, since because the 
disjointness problem for the context-free languages (CFL) is 
undecidable (see [1]), no class containing CFL can be perfect. 
This "context-free barrier" restricts the search for perfect 
classes to those properly contained in CFL or incomparable 
with them, and both possibilities have been investigated. In 
a seminal paper [2], Alur and Madhusudan proved that the 
visibly pushdown languages — a subclass of CFL — are per- 
fect, a result that lead to a very successful theory and efficient 
algorithms (see e.g. [3], [2]). Later La Torre, Madhusudan, and 
Parlato discovered a perfect class incomparable with CFL: 
the languages recognized by multi-stack visibly pushdown 
automata whose computations can be split into a fixed number 
of stages during which at most one stack is popped [4]. 

The "context-free barrier" continues to be a serious obsta- 
cle in many applications, in particular in the verification of 
concurrent systems. For this reason, many tools only check 
a subset of the executions of the system. Intuitively, they 
direct a spotlight to a region of the possible executions, and 
check whether the executions under the spotlight satisfy the 
property. The spotlight is controlled by the user, who can freely 
move it around to check different regions, and conventional 
verification corresponds to a spotlight that illuminates all 
the space of possible executions. In particular, the "spotlight 
principle" is applied by bounded model-checkers, which unroll 
program loops and recursion up to a fixed depth (often after 
taking the product of the program with an automaton for the 
property to be checked), leaving a system whose executions 
have a fixed bounded length (see e.g. [5], [6]). It is also 
used by context-bounded checkers for multi-threaded programs 
[7], [8], [9], which only examine executions containing at 
most a fixed number of context-switches (communication 
events between threads). Context-bounded checkers break the 
context-free barrier, but at the price of only exploring finite 
action sequences. 1 Recently, building on ideas by Kahlon [10] 
on bounded languages [11], context-bounded checking has 
been extended to bounded verification [12] 2 , which checks 
whether executions of the system of the form w\ . . . «;* for 
some finite words W\ , . . . , w n satisfy a property. 

In automata-theoretic terms, the spotlight principle corre- 
sponds to verification modulo a language. The inclusion check 
L(S) C L(P) and the disjointness check L(S)nL(P) = are 

1 More precisely, in automata-theoretic terms context-bounded checkers 
explore runs of S of arbitrary length, but containing only a fixed number of 
non-e transitions. 

2 In [12] bounded verification was called pattern-based verification, but, 
since pattern is a rather generic term, we opt for bounded verification here. 



replaced by checks L M (S) C L M (P) and L M (S)C\L M {P) = 
0, respectively, where Lm denotes in M. Context-bounded 
checking corresponds to verification modulo the language of 
all words up to fixed length, and bounded verification to 
verification modulo a bounded expression. 

Verification modulo a language M allows to break the 
context-free barrier, which raises the question of identifying 
perfect classes modulo language classes. Given a boolean 
operation Op{L\ , . . . , L n ) on languages, let us define the same 
operation modulo a language M by Op M {L\, . . . ,L n ) = 
Op(Li fl M, . . . , L n n M), and, similarly, let us say that an 
automaton A is empty modulo M if L(A) n M = 0. Let L 
and C be classes of languages. We call C perfect modulo C 
if it is closed under Boolean operations modulo any MeC, 
and has a decidable emptiness problem modulo any M e C. It 
is easy to see that the recursive languages are perfect modulo 
the finite languages. But for bounded expressions the question 
becomes harder. The disjointness problem modulo a bounded 
expression is decidable for CFL [11], which hints at a perfect 
class modulo bounded expressions containing CFL. However, 
CFL itself is not perfect modulo bounded expressions, because 
it is not closed under intersection: there is no CFL L such that 
{a n b n c* | n > 0}n {a*b n c n | n > 0}C\a*b*c* = LC\a*b*c*. 

In this paper we present the first perfect class modulo 
bounded expressions: the languages recognized by multihead 
pushdown automata (MHPDA). This result is very satisfactory, 
because the class has a simple and purely syntactic definition, 
and as we demonstrate, is expressive enough to capture many 
well-known models. We also characterize the complexity of 
the Booleans operations and the emptiness check modulo 
bounded expressions: we show that the emptiness check is 
coNEXPTIME-complete, union and intersection are polyno- 
mial, and complementation is at most triply exponential. 
Surprisingly, the emptiness problem is coNP-complete (and 
complementation doubly exponential) for the subclass of 
letter-bounded expressions, in which each string w\ , . . . , w n 
is a single letter. We also show that bounded expressions are 
a maximal class of regular languages for which perfection can 
be attained for MHPDAs, any additional language leads to 
undecidability of emptiness. 

In the second part of the paper, we show that central 
automata models of software can be encoded into MHPDA. 
Encoding recursive multithreaded programs to MHPDA is 
obvious, since the intersection of CFLs is MHPDA-definable, 
and we subsume the results of Esparza and Ganty [12]. 
Additionally, we supply encodings for recursive counter ma- 
chines (CM), the main automata-theoretic model of proce- 
dural programs with integer variables, and for finite-state 
machines communicating through unbounded perfect FIFO 
channels (CFSM), the most popular model for the verification 
of communication protocols. While the existence of some 
encoding is not surprising, since emptiness problems for CM, 
CFSM, and MHPDA are all undecidable, our encodings exhibit 
only a small polynomial blowup, and, perhaps more impor- 
tantly, preserve bounded behaviours. More precisely, using 
our encodings we reduce bounded control-state reachability 



for CM and CFSM — deciding reachability of a given control 
state by means of a computation conforming to a bounded 
expression — to non emptiness of MHPDA modulo bounded 
expression. As a consequence, we prove that bounded control- 
state reachability for both CM and CFSM are NP-complete. 
The NP-completeness also extends to unrestricted control-state 
reachability for flat CM and flat CFSM, because by construc- 
tion their computations conform to a bounded expression. (See 
e.g. [13] and [14] for a study of those models). More generally, 
our language-based approach provides a uniform framework 
for the verification of models using auxiliary storage like coun- 
ters, queues or a mix of both as defined in [15]. Incidentally, 
our framework allows to uniformly derive optimal complexity 
upper bounds for models manipulating counters, queues or 
both, and shared memory multithreaded programs. 
Related work. Multi-tape and multi-head finite-state and push- 
down machines were extensively studied in the 1960's and 
1970's, e.g. [16], [17], [18]. The decidability of emptiness 
for MHPDA modulo bounded languages was proved by 
Ibarra in [17], using previous results going back to his (hard 
to find) PhD thesis [16]. Our proof settles the complexity 
of the problem (coNEXPTIME-complete). Additionally, our 
constructions show the surprising coNP-completeness result 
for letter-bounded expressions. (A similar coNP-completeness 
result was recently obtained in [19], but for a different model.) 

Reversal bounded counter machine as bounded language 
acceptors (see e.g. [20]) and Bounded Parikh automata [21] 
have the same expressive power as MHPDA modulo bounded 
expressions (they all recognize the languages of the form 
{w^ 1 . . . w^ n | (fci, . . . , k n ) € S} for some semilinear set S). 
These three characterizations of the same class complement 
each other. While MHPDAs have the modelling advantage of 
allowing to directly encode recursive procedures, queues and 
counters, reversal bounded counter machine (and by extension 
flat counter machine) have very good algorithmic methods and 
tool support (see e.g. [19][22]). Our results allow to apply 
these algorithms and tools to a larger range of problems. 

II. Preliminaries 

Language theory. An alphabet £ is a finite and non-empty set 
of letters. We use S* for the set of finite words over E, e for 
the empty word. 

We assume the reader is familiar with the basics of language 
theory, such as regular languages, context-free languages 
(CFL), context-sensitive languages (CSL), and the formalisms 
to describe them: nondeterministic finite automata (NFA), 
context-free grammars (CFG), pushdown automata (PDA), etc. 
(see, e.g., [1]). 

Let us mention that for NFAs, CFGs and PDAs the size 
of their encoding (denoted using | • |) is the number of bits 
required to represent them. 

Parikh images. For k E N, we write Z fc and N fe for the sets 
of (fc-dim) vectors of integers and naturals, for (0, . . . , 0), 
and ej for the vector . . . , z k ) e N fc such that Zj = 1 if 
j = i and Zj = otherwise. Addition and equality on fc-dim 
vectors are defined pointwise. 



Given a fixed linear order £ = {a 1; ...,a„}, the Parikh 
image of a, G £, written Parikh s (ai), is the vector 
e,-. The Parikh image is extended to words by defining 
Parikh s (e) = and Parikh E (u • v) = Parikh s (u) + 
Parikh s (t>), and to languages by letting L C £*, 
Parikh s (L) = {Parikh s (w) | to € L}. We sometimes omit the 
superscript S. 

Presburger Formulas. A term is a constant c e N, a vari- 
able x from a set X of variables, or an expression of 
the form t\ + t<i or t\ — £2, where ti,t2 are terms. A 
Presburger formula is an expression of the form t ~ 0, 
where i is a term and ~ £ {<, <, =, 7^, >, >}, or of the 
form (\>\ A 02, ^1 V $2, 3a:.<jf>, where <f>, <j)\, <p2 are 

Presburger formulas. Given a Presburger formula <fr with 
free variables £1, . . . ,Xk (written 4>(x\, . . . , x k )), we denote 
by [0] the set {(m, . . . , n k ) £ N fe | <f>(m, n k ) is true}, 
where 0(rii, . . . , nj.) denotes the formula without free vari- 
ables obtained by substituting 7ij for x^. We recall that 
satisfiability of Presburger formulas is decidable [11] and that 
the Parikh image of a context-free language is Presburger- 
definable [23]. 

Bounded expressions. A bounded expression w over £ is a 
regular expression of the form w\ . . . w* such that n > 1 
and to, is a non-empty word over £ for each i g [1,h] 3 . 
Abusing notation we sometimes write w for L(w). The size of 
a bounded expression w is defined as |to| = 1 + 2~^™=i l^l' ^ 
bounded expression is letter-bounded if |tOi| = . . . = \w n \ = 
1, where the tOjS are not necessarily distinct. 

Shuffle and indexed shuffle. The shuffle of two words x, y £ £* 
is the language 

z LU y = {xiyi . . . x„y n € £* | each x^yi £ £* 

and x = xi ■ ■ ■ x n A y = yi ■ ■ ■ y n } . 

and the shuffle of two languages L\, L2 C £* is the language 
L1LUL2 = UzeLi yeL 2 xlLi y- Shuffle is associative, and so we 
can write L\ UJ . . . LU L k , which we often shorten to \±i^ =1 Li. 

Given i > let £ IX i = {(a, i) \ a £ £}. We say that 
i is the index of (a,i), and extend indexing to words and 
languages in the natural way. For w — b\ . . . b t £ £* and i > 
0, (w tx i) — (bi,i) ■ ■ ■ (bt, i), and Ltxii = {wtxii \ w £ L}. 
The indexed shuffle of L\, . . . ,Lk is the language 

yjf =1 L, = LU^ =1 (Liixii) . 

For example, if we shorten (a, 1) to al etc., we have 

{ab}w{b} = {albl}m{b2} = {al 61 62, al 62 61, 62 al 61} . 

It is well known that if is recognized by an NFA of size 
rii, then both LL|k_ 1 £j and LU.i=iI>i are recognized by NFAs 
of size 0(nfL x ni). 

3 For integers a; < a;', we write [x, x'] for the set {i £ Z | x < i < 21'}. 



III. Models 

A ta/je content (or simply tape) w over £ is a word u; € £*. 
For d > 1, a d-tuple of tapes is a d-tuple (wi, . . . , Wd) where 
each Wi is a tape. Let u> £ £*, define as the d-tuple 
(10, . . . ,w). It extends to languages as follows: let L C £*, 
we write to denote the set of d-tuples of tapes given by 
{(wi,...,w d ) I Wi £ L}. 

Definition 1: A d-tape pushdown automaton (d-TPDA, for 
short) is a 9-tuple A = (S, £, $, T, M, v, so, 70, F) where 

1) S is a finite non-empty set of states, 

2) £ is the tape alphabet, 

3) $ is a symbol not in £ (the endmarker for the tape), 

4) r is the stack alphabet, 

5) M, the set of transitions, is a mapping from S x (£ U 
{$} U {e}) x T into the finite subsets of 5 x T, 

6) v: S — > [1, d] is the tape selector function, 

7) so G S is the sfarf sfafe, 

8) 70 £ r is the initial pushdown symbol, 

9) F C 5 is the set of final states. 

Intuitively, a d-TPDA has a finite-state control {S), d input 
tapes, and a stack. There is a separate input-reading head on 
each tape. Each state s £ S in the finite state control reads 
from the tape given by v(s) and pops the top of the stack. 
The transition relation then non-deterministically determines 
the new control state and the sequence of symbols pushed on 
to the stack. The read head moves one step to the right on its 
input tape. 

For the sake of readability, we write (s, 7) <^> (s',w) 

whenever (s , w) £ M(s, a, 7). We sometimes write (s, 7) °-> 
(s',w) where v(s) = i when we want to make explicit from 
which tape we are reading. 

The size \A\ of a d-TPDA A is given by |5| + |£| + |r| + 
where in the encoding of the function v, the numbers 
in [l,d] are encoded in binary. Intuitively, \A\ is proportional 
to the number of bits required to represent a d-TPDA when 
numbers are represented in binary. 

Let us fix a d-TPDA A = (S, £, $, T, M, v, s , 70, F). 

Definition 2: Let # be a symbol distinct from symbols 
in £ U {$}. Define 1 = {w#w' \ w ■ to' £ £*$}. An 
instantaneous description (ID) of A is a triple (s, t = 
(ii,...,t d ),to) £ Sx [1] d xr*. An ID (s,i,w) denotes that A 
is in state s, with pushdown store content w £T*, and where 
t = (ti, . . . ,td) is such that ti £ 1 gives the configuration of 
tape i where the position of the head indicated by 

Definition 3: Let h, be the relation between IDs defined as 
follows: let c = (s,i,w-f) and d — (s' ,F ,ww') be two IDs. 
We have c h c' iff each of following conditions is satisfied: 

1) (s, 7) ^> (s', to') for some a r £ £ U {e, $}. 

ow „ , \x<T r #y ifi = v(s) 

2) t„( s ) = x#v r y and ^ = < ^ 

Let h* be the reflexive and transitive closure of K 
We now introduce helper functions Lft and Rgt which 
given an ID c and a tape h £ [1, d] returns the tape content 




lying to the left and to the right (without the head position), 
respectively. 

Definition 4: Given an ID c = (s,i = (ti, . . . , t d ), w) and 
h € [l,d], define Rgt(c, h) and Lft(c, h) as follows: let tj, = 
wi#W2 then Rgt(c, /i) = W2 and Lft(c, ft,) =wi. 

Let us now define the languages accepted by d-TPDA. 

Definition 5: Given a ID c, we say that a head i is q/f 
its tape in c whenever Rgt(c, i) = e. Let c = (s, t, u>) 
be an ID, we say that c is accepting iff s G F and 
for every i G [l,c2] head i is off its tape in c. A d- 
tuple of tapes (x\, . . . , x d ) G is accepted by A if 

(s , . . . ,#a; d $),7o) h* (s,i,w) for some ID (s,f,u>) 

that is accepting. The set of d-tuple of tapes accepted by A 
is denoted T(A). A subset L C is d-TPDA definable if 

there exists some d-TPDA A such that L = T(A). 

Remark 1: 

• Having all heads off their tape is a necessary condition to 
accept. Therefore any accepting run (even if the tape is 
[e] d ) needs to perform at least one read on each tape 
because of $. This implies that for any non-trivial d- 
TPDA, d < \S\. 

• The language of d-TPDA are recursive for each d > 
[16]. The languages that are 1-TPDA definable are the 
CFLs. Observe the following difference w.r.t. classical 
definition, e.g. as in [1]. In fact, for a 1-TPDA to accept 
we need the current control state to be final and the head 
to be off the tape. 

In latter sections, we use a graphical notation for MHPDAs 
because it better carries intuitions. Fig. 1 gives such an 
example of 2-HPDA which recognize a language over symbols 
{0,1, &} given by {wSzw | w G ({0,1})* and is a 
palindrome}. Intuitively, in the 2-HPDA uses head 2 to 
recognize the first palindrome using its stack. When head 2 
reads & the MHPDA enters q s where it checks using both 
heads that the subwords before and after & are identical. If the 
check succeeds then the MHPDA enters q then qj (head 2 has 
fallen off the tape) where it accepts after making head 1 fall 
off the tape. The transition from q^ to q s labelled [&) 2 , -L/-L 
reads as follows: if in state q± stack symbol _L is on the top 
of the stack then read & with head 2 and update the location 
to q s . Also read the transition from qf to itself and labelled 



[a; G {0, as follows: in state qf read any symbol of {0, 1}, 
go to qf. In what follows, to ease the readability we omit 
the formal description of the automata and use our graphical 
notation instead. 

We now introduce a generalization of pushdown automata 
with several heads working on a shared tape. This model is 
closely related to d-TPDA as described below. 

Definition 6: Let A d C be given by 

{{w 1 ,...,w d )€[X*] d \w 1 = --- = w d } and tti: -> 
S* to be the function which maps L C [E*f onto the first 
tape: tti(L) = {wj. G S* | (w 1 ,...,w d ) G L}. 

When the <i-tuple of tapes is restricted to A^, that is, 
when all the tapes have identical content, we can view A 
as a pushdown automaton with d-heads sharing a unique 
tape. In this case we define the language L C E* accepted 
by the d-head pushdown automaton A (or d-HPDA) to be 
iri(T(A) D Ad) and we denote this language by L(A). We 
write MHPDA for the class of models d-HPDA for d > 1. 

IV. Emptiness modulo Bounded Expressions 

Given a <i-HPDA M and a bounded expression w = 
w\ . . . u>*, both over an alphabet S, we show how to check 
emptiness of L(M) n w. Recall that we can construct a d- 
TPDA A of size 0{\M\) such that L(M) D w = iff 
T(A) n [w] d n Ad = 0, where A d is the set of d-tuples 
of the form (u>, w, . . . , w) (see def. 6). 

In Section IV-A we show that emptiness of T(A) n [w] 
can be reduced to emptiness of a context-free grammar, and 
in Section IV-B that emptiness of L{M)C\w can be reduced to 
unsatisfiability of an existential Presburger formula. The steps 
of the reduction are summarized in Fig. 2. 

A. Emptiness ofT(A) fl [w] d 

We construct in three steps a context-free grammar that 
recognizes an "encoding" of T(A) n [w] d . 

Roughly speaking, in the first step we construct a <i-TPDA 
recognizing the result of applying a transformation on T(A) fl 
[w] which "contracts" each word lOj of w into a single letter. 

Let S = {ai,...,a n } be a new alphabet and let a = 
a* • • ■ a* be a bounded expression over S. Given a bounded 
expression w = w'l ■ ■ ■ w* over S, we define the mapping 
U : N" -»■ S* by U : (i u . . . , i n ) ^ w\' ■ ■ ■ <». 



Lemma 1: There is a computable rf-TPDA B over E of size 
• |t«| ) such that for every fei, . . . , fe<j G N ra we have: 

(/* (fei ),-..,/«, (M) eT(A)nH d 
iff 

{fa(ki),...Ja(k d ))&T(B) . 

Sketch of Proof: We first construct a d-TPDA B\ 

such that T{Bi) = T(A) n [w] d . For this, let W be 

an NFA recognizing w ■ $, and let Qw be its set of 

states and Fw C Q^/ the accepting ones. Adapting the 

shuffle construction for NFAs, we can construct a NFA 

W d with states = Qw x ■ • • x Qw recognizing 

s * ' 

d-times 

\±S_f =1 L(w ■ $). We synchronize A with VK d as follows. 
The set of states of Bi is S x [Qw] , where 5 is the set 
of states of A, and the set of final states is F x [Fw] d - 
The tape selection function of B\ is determined by the 

one of A, If ^4 has a transition (s )7J ^ (sb,w), where 
(7 G E U {$} is read from the tape £ = v(s a ), and W d 

has a transition (g x , . . . , q e , . . . , q d ) H (ft, . . . , q^, . . . , q d ), 

then i?! has a transition ({s a , q\, q d ), 7) e -> 
((sb,qi, ■ ■ ■ ,q' e , ■ ■ ■ ,qd),w). If A has a transition 

(s a ,7) (sf,,w) (resp. W d has a transition 

(q 1 ,...,q j ,...,q d ) -4 (q 1 , . . . , q' j: . . . , q d )), then B 1 has 

[e>£ 

transition ((s , gi, . . . , q d ), 7) ((s bj gi, . . . , g d ), to) (resp. 

[e> 4 

((s Q ,gi, • ■ • ,gj, . . . ,qd),V ({s a ,qi,---,qj,---,qd),V 
for every 7 € T). £?! has no further transitions. 

Now we construct B. It is easy to construct W so that for 
every word Wi of w it contains a state q W( that is entered 
every time (and only when) W reads the last letter of u^. We 
proceed as follows. First, we transform all transitions of B\, 
with the exception of those labeled with endmarkers, into e- 
transitions. Then, we relabel again all transitions entering q Wi , 
i.e, all transitions in which some copy of W takes a transition 
with target q Wi : we replace e by a,. ■ 

In a second step we construct a PDA that recognizes the 
indexed shuffle of T(B). Let E d = Ui=i(Scxu)- Given a 
rf-tuple of tapes it = (ui, . . . , u d ) define LLJ(it) — UJ d =1 {ui}. 

Lemma 2: There is a computable PDA G over E^ of size 
0{\B\) such that u G T(5) iff LJU(u) n L(C) ^ for every 
u G [E*] d . 

Sketch of Proof: B and C have the same states, initial and 
final states, and stack alphabets. Assume B is currently at state 
s, and the tape selector assigns to s tape number I = f(s). The 
transitions of G are defined so that if in the next move B reads 
a letter a, then C reads the letter (u,£) (unless a G {$,£}, in 
which case G reads e). Formally, for u / $ and a ^ e the 

PDA C has a transition (s, 7) ^> (a, w) iff £> has a transition 

[ <7 )£ e 
(5,7) (s',w), and C has a transition (s, 7) (s ,w) iff 

[*)< [e>< 
£? has a transition (s, 7) ^-s- (s , w) or (s, 7) c -s- (s ,w). Now, 



C accepts the word of LU(u) that interleaves the letters from 
the different tapes in the order in which they are read by B. 

m 

The third step is standard [1]: 

Lemma 3: There is a computable CFG G over E^ of size 

0(|C|) 3 such that L(G) = L{C). 

Putting these lemmas together, we finally get 

Proposition 1: There is a computable CFG G over E^ of 

size 0(|vl| 3 • \w\ 3d ) such that for every fei, . . . , k d G W 1 we 

have: 

(/»(fci ),...,/» (fed)) eT(A)n[w] d 
iff 

LM(/o(fcl),...,/a(fcd))nL(GO^0 

B. Emptiness of L(M) n w 

Recall that L(M) n w = iff T(A) D [w] d DA d = 0. To 
decide this problem, we rely on the notion of Parikh image. 
By definition of indexed shuffle, for every tuple v G [E } d all 
the words of LU(u) have the same Parikh image, which justifies 
the notation Parikh (llj(v)). Now we have: 

Lemma 4: For every v G [E } d : UJ(«) n L(G) 7^ iff 
Parikh(LU(t;)) G Parikh(L(G)). 

Proof: The right-to-left direction is obvious. For the con- 
verse, UA(v) n L(G) ^ implies Parikh(w') G Parikh(L(G)) 
for some t/ G LU(^), but all elements of vu(v) have the same 
Parikh mapping. ■ 

So checking LU(u) n L(G) 7^ can be done by checking 
Parikh(LU(?;)) G Parikh(L(G)). For this check we can resort 
to the following theorem. 

Theorem 1: [23] For each CFG G, there is a computable 
existential Presburger formula $ of size 0{\G\) such that 
Parikh(L(G)) = [#]. 

We immediately get: 

Proposition 2: There is a computable existential Presburger 
formula $ with free variables {xij | i G [l,n], j £ [l,d]} of 
size 0(\G\) such that 

(fei ),...,/» (fed)) eT(A)nH d 
iff 

. . . , fed) is true . 
Proof: Take for $ the formula of Thm. 1. We have: 

(U(k!),...,U(k d )) eT(A)n[w] d 

iff UJ(/a(fci), • • • , fa (fed)) n L(G) 7^ Prop. 1 
iff (fei,..., fe d ) G Parikh(L(G)) Lem. 4 

iff $(fei, . . . , kd) is true Thm. 1 

■ 

The advantage of Prop. 2 is that it can be easily extended to 
a procedure for checking not only emptiness of T(A) n [w] d , 
but also emptiness of T(A)C\ [w] d n A d . Recall that the tuples 
in T(A) n [w] d n A d are the tuples of T(A) of the form 



(to, . . . , w) G for some w £ w . Let k, fe 1; . . . , k d £ N". 
We have: 

(/c(fci), • • • , e t(A) n H d n A d 

iff (property of A d , , k = k x = ■ ■ ■ = k d ) 

[U(k)] d eT(A)n[w] d 

iff (Prop. 2) 

$(fc, . . . , k) is true 

d times 

iff Bij,...,^ G N": $(i x , . . . ,i d ) is true 
and ii = ■ • • = id 

iff 3xn • • • 3xkd A /\r=i l\ d J= i x i] = is true 

where $ is the formula of Prop. 2. So we get 

Theorem 2: There is a computable formula ^(x%, . . . ,x n ) 
of existential Presburger arithmetic of size 0(|M| 3 • | , u;| 3 ' i ) 
such that /u,(fci, . . . , k n ) £ L(M) n w iff ^(fci, . . . , k n ) is 
true. In particular, L(M) H w ^ iff ^ is satisfiable. 

Proof: It suffices to take ^>(xi, . . . ,x n ) = 



3xu . . . 3x k d ■ A f\ i=1 A J= i Xij = . 

This theorem admits a simple but useful generalization: 
Theorem 3: Let {Mj}^^ ■, be a family of MHPDA such 
that Mi is a Ci-HPDA for each i £ [l,<z]- Let c = 
max({c l } iG [ 1 4 and m = max({|Mi|} ie r lig ]). There is a 
computable formula ^(xi, . . . , x n ) of existential Presburger 
arithmetic of size 0(q-m 3 ■ \ w\ 3c ) such that fa,(ki, . . . , k n ) G 
n?=i L ( M i) iff . . . , fe„) is frwe. 

Proo/:- Define *(xi, . . . ,a;„) to be ALl^C^i' ■■■' x n) 
such that each ^i(a;i, . . . , x n ) is the formula obtained by 
Thm. 2 on input Mi and w. Correctness is proved as follows: 

iff M=Jw{h,---,k n ) €L(MA nw 
iff Ai=i*i( x i' •• • ,^n) is true 
iff ^(xi, . . . , x n ) is true 

We conclude from Thm. 2 that |\6^| = 0(m ■ 
i £ [l,q], hence that |*| = 0(q ■ m ■ |to| 3c ). 



Thm. 2 
def. of * 

3c ) for each 



w 



C. Complexity 

Emptiness of MHPDAs is clearly undecidable (by reduc- 
tion from the emptiness problem for intersection of context- 
free languages). We prove that emptiness modulo a bounded 
expression is coNEXPTIME-complete. 



0(|M|) 0(\A\ ■ \w\ d ) 0(\B\) 0(\C\ 3 ) 0(\G\) 

M ; > A > B > C > G > $ 



w 



Lem. 1 



Lem. 2 



Lem. 3 



Thm. 1 



Fig. 2. Summary of the decision procedure steps 



Theorem 4: The emptiness problem for MHPDAs modulo 
an arbitrary bounded expression is in coNEXPTIME. More- 
over, the emptiness problem for MHPDAs and w — (01)* is 
coNEXPTIME-hard. 

The question arises whether emptiness remains 
coNEXPTIME-complete for letter-bounded expressions. 
Remarkably, this is not the case: for such expressions the 
emptiness problem is only NP-complete. Fix a letter-bounded 
expression b = b\ . . .6* where fej's are not necessarily 
distinct. The key to the result is that Lem. 1 (with w now 
equal to b) can be replaced by the following one. 

Lemma 5: There is a family {Bi}f =1 of g?-TPDAs over S, 
where a = d) b \ d and each Bi has size 0(|A| • |5| • d 2 ), such 
that for every fei, . . . , k d £ N™ we have 

(f-M,.-.,f-M) £T(A)n[w} d 
iff 

(/a(fei),-.., /a(fe d )) e\Jti T (Bi) 

Moreover, we can decide in time 0(|A| • |6| • d 2 ) if a given 
MHPDA belongs to {Bi}f =1 . 

Proof: We can easily construct an NFA W recogniz- 
ing L(b ■ $) with states {qi, . . . , q n +i} (recall that n + 
1 = |6|), initial state qi, final state q n +i, and transi- 
tions {qt 4 ft | t G [1, n}} U {q 3 4 q j+1 \ j G [l,n - 1]} U 

{q n A q n +i}- Let W d be the NFA defined in Lem. 1 rec- 
ognizing W d =1 L(b ■ $). While W d has (n + l) d states, it 
is easy to see that for w = b every accepting run of 
W d only visits (n + 1) • d distinct states, because every 

transition (q i± , . . . , q id ) ^ (qj 1 , . . . , qj d ) of W d satisfies 
H < iii • • • i id < id We can then associate to each accepting 
run p the subset Q P wd of the states of Q W d visited by p, and 
so the sub-NFA W d of W d with Q P wd as set of states, and 
whose transitions are the transitions of W d between states of 
Qf wd - Clearly, W d has at most (n + 1) • d states and at most 
((n + 1) • d) ■ (d + d) = 0(n ■ d 2 ) transitions. (Let a state 
(qi 1 , . . . , qi d ); the term (d + d) corresponds to the transitions 
labeled by (bi ,j) or (e, j) for each j £ [1, d}.) Moreover, even 
though there are infinitely many accepting runs, the number 
of different such sub-NFAs is d) b],d , because each state of W d 
has d successors different from itself, and every accepting run 
of W d only visits (n + 1) • d distinct states. Let Wf, . . . , W d 
be an enumeration of them. 

In Lem. 1 we first construct a rf-TPDA B\ by synchronizing 
A and W d , and then we transform B\ into another <i-TPDA B. 
Now we first synchronize A and Wf, yielding a rf-TPDA Bu 
for every i £ [1, a], and then we apply the same transformation 
as in Lem. 1 to obtain a d-TPDA Bi. Clearly, we have T(B) = 
Uf=i T{Bi), and so the result follows. ■ 

Proceeding as in the previous section, we now obtain for 
each <i-TPDA Bi a grammar Gi, and from it an existential 
Presburger formula We get: 

Proposition 3: There is a computable family 
{^i(xi, . . . , x n )}f =1 of existential Presburger formulas, 
each of them of size 0(|Af| 3 • |S| 3 • d 6 ), such that 



/ B (fei, . . . , K) G L(M) n_5 iff Vti *«( fc i' • • • » K) is 
true. In particular, L(M) n b 7^ iff at least one of the 
formulas in the family is satisfiable. Moreover, we can decide 
in time 0(|M| 3 • |6| 3 • d 6 ) if a given formula belongs to 
{^ l (x 1 ,...,x n )}f =1 
Finally, we get: 

Theorem 5: The emptiness problem for MHPDAs modulo 
letter-bounded expressions is in coNP. Moreover, the emptiness 
problem for MHPDAs and w — b* is coNP-hard. 

Proof: Let M be a d-HPDA and let b be a letter-bounded 
expression. The nondeterministic polynomial algorithm for 
non-emptiness of L(M) n b first guesses one of the formulas 
of Prop. 3, checks in polynomial time that it belongs 
to the family and then nondeterministically checks that it is 
satisfiable. Since 4^ has polynomial size in \M\ + \b\ +d, the 
whole procedure takes nondeterministic polynomial time. 

The coNP-hardness result follows from [12, Theorem 1], 
which proves that given CFGs G\,...,Gk, deciding non 
emptiness of L(Gi)C\. . .ni(G fe )ni(6*) is coNP-hard. Since 
we can easily construct in linear time a fc-HPDA recognizing 
L(Gx) n . . . n L(Gk), the result follows. ■ 

V. Closure under Boolean operations 

It is straightforward to show that MHPDAs are effectively 
closed under union and intersection. 

Proposition 4: Let A\ be a fci-HPDA and A 2 a fc 2 -HPDA. 
We can construct in linear time (k\ + fc 2 )-HPDAs A u and A n 
such that L(Au) = L{A X ) U L(A 2 ) and L(A n ) = L{A X ) n 
L(A 2 ). 

Proof: Ad nondeterministically decides to simulate A\ or 
A 2 ; it requires maxfci, k 2 heads. A n simulates A\ with heads 
[l,fci] and if A\ reaches an accepting state, then it simulates 
A 2 with heads [ki + 1, fci + k 2 ]. ■ 

MHPDAs are not closed under complement, but closed 
under complement modulo any bounded expression. 

Proposition 5: Given an <i-HPDA A and a bounded expres- 
sion w, there is an MHPDA B such that L{B) = w \ L(A) 
and \B\ is at most triply exponential in \A\, \w\. 

Proof: The complementation procedure works as follows: 

• Compute the existential Presburger formula ^ of Thm. 2 
with constants written in unary. A simple inspection of 
the result of [23] shows that the size of * is still 0(\ A\ 3 ■ 
\w\ 3d ) (the constants of $ for a context-free grammar G 
have linear size in \G\ even when written in unary). 

• Compute a quantifier- free formula $ = (with con- 
stants written in unary). This is possible because Pres- 
burger arithmetic has quantifier elimination procedures. 
Moreover, since \& has one single block of existential 
quantifiers, we have |$| G 2exp(0(\^\)) [24][25], where 
2exp{n) = 2 2 ". We have w^ 1 . . . u>£» G {w \ L(A)) iff 
^(ki, . . . , k n ) is false iff $(fci, . . . , k n ) is true. 

• Construct the MHPDA B as follows. B has a head for 
each atomic formula of $. Control ensures that heads read 
the input one after the other (i.e., the i + 1-st head starts 
reading the input after the i-th head has completely read 
it). The i-th head checks whether the i-th atomic formula 



is satisfied by the input. For instance, a constraint like 
3k\ — 2k 2 < 5 is checked using the stack as follows: 
the stack is used as a counter over the integers (using 
two symbols, say P and N, and encoding i where i > 
as P l _L and —i (i > 0) as iV l _L for some bottom 
stack symbol _L); B reads w^w^ 2 , so that at the end the 
counter contains 3fci — 2k 2 ; then B compares the content 
of the counter with 5. Control takes care of evaluating the 
formula by combining the results of the evaluation of the 
atomic formulas. B accepts w^ 1 . . . w* n if the evaluation 
of $ is true. Since the constants of $ are written in unary, 
we have \B\ G 0(|$|). 
This procedure yields a triple exponential bound for B in 
the size of A. More precisely, the procedure is only triply 
exponential in the number of heads of A, but not on its number 
of states or transitions. ■ 
For letter-bounded expressions, we get one exponential 
less by using Prop. 3 to compute a family of exponentially 
many Presburger formulas, each polynomial in the size of 
the automaton and the bounded expression, then following 
the previous construction and noting that the intersection of 
exponentially many MHPDAs, each doubly exponential, still 
gives a doubly exponential MHPDA. 

Proposition 6: Given a d-HPDA A and a letter-bounded ex- 
pression b, there is an MHPDA B such that L(B) = b\L(A) 
and \B\ is at most doubly exponential in \A\, \b\. 

VI. Optimality questions 

Let V denote the class of finite unions of bounded ex- 
pressions, let T denote the class of finite languages, and let 
U = ?U T. We have shown that MHPDA is perfect modulo 
U. This raises two questions: (1) is MHPDA perfect modulo 
some class of regular languages larger than Ul, and (2) is 
some class larger than MHPDA perfect modulo Ul. 

Prop. 7.1 shows that the answer to (1) is negative. We do 
not settle (2), but show in Prop. 7.2 that the largest class of 
regular languages for which the context-sensitive languages 
(CSL) are perfect is T . Actually, the proposition shows that no 
class with an undecidable emptiness problem (and satisfying 
some additional very weak properties) can be perfect modulo 
any class of regular languages larger than T . So, in particular, 
no class containing the languages generated by Okhotin's 
conjunctive grammars can be perfect [26]. 

Proposition 7: 

1) U is the largest class of regular languages such that 
MHPDA is perfect modulo U; 

2) T is the largest class of regular languages such that CSL 
is perfect modulo T . 

Proof: 

point 1. Let C be a class of regular languages stronger than 
U. We show that the emptiness problem of MHPDA modulo 
C is undecidable, which implies that MHPDA is not perfect 
modulo C. 

Since C is stronger than U, there is an infinite regular 
language L G C that is not equal to a finite union of bounded 



expressions. We show that there are words u,Vq,Vi,x, such 
that e 7^ «o 7^ t>i 7^ e, VqVi 7^ vivo and u(vq + C L. 

We need some preliminaries. We call a NFA A with 
e-transitions simple if every strongly connected component 
(SCC) of A is either trivial or a cycle containing at least one 
non-e transition, and every bottom SCC contains a final state. 
Clearly, if A is simple then there is a finite union pi, . . . ,p n 
of bounded expressions such that L(A) = Pi + ■ ■ ■ + p n 
(informally, each pi corresponds to a path in the acyclic 
graph obtained by contracting every SCC to a single node). 
Conversely, every finite union of bounded expressions is 
recognized by a simple NFA with e-transitions. 

Since L is regular, there is NFA with e-transitions Al such 
that L(Al) = L. W.l.o.g. we can assume that every bottom 
SCC of Al contains some final state. Since L is infinite, 
A i, contains at least one nontrivial SCC reachable from the 
initial state. Since L is not equal to a finite union of bounded 
expressions, Al contains at least one SCC, say C, reachable 
from the initial state, that is not a cycle. Moreover, we can 
assume that from some state q of C there are two paths leading 
from q to q that read two different nonempty words v ,vi 
such that vqVi 7^ viv (otherwise, C can be "replaced" by 
two cycles: one for Vq and one for v±). Let u be any word 
leading to q, and x be any word leading from q to a final state. 
Clearly, u(v + v\)*x C L. 

We now prove that the emptiness problem of MHPDA 
modulo L (and so modulo C) is undecidable by reduction 
from the emptiness problem for intersection of CFG the 
alphabet {0,1}. Let Gi,G 2 be two CFG. Using closure of 
CFL with respect to concatenation and homomorphism, we 
can easily construct grammars G[ , G 2 such that Gi accepts 
01 . . . a n E {0, 1}* iff G\ accepts the word u(wi . . . w n )x, 
where Wj — vq if ctj — 0, and Wj — v-y if ctj = 1 for every 
j E [l,n]. Now, since L(G' 1 ),L(G 2 ) C m(^o+Vi)*x, we have 
L(G[) n L(G' 2 ) n L = L(G?i) n L{G' 2 ) n u(v + Vl )*x, and 
so L(Gi) n L(G 2 ) = iff L(G?i) n L{G' 2 ) n L = 0. So the 
emptiness problem of MHPDA modulo L is undecidable 
point 2. Since CSL is closed under boolean operations and 
has a decidable membership problem, CSL is perfect modulo 
T . Any class of regular languages stronger than T contains an 
infinite regular language L. We prove that emptiness of CSL 
modulo L is undecidable by reduction from the emptiness 
problem for CSL, which implies that CSL is not perfect 
modulo L. 

Since L is infinite, there are words wi,w 2 , W3 such that 
wiw 2 W3 E L. Given a context-sensitive grammar G, it is easy 
to construct a grammar G' satisfying L(G') C wiw 2 ws and 
such that L(G) is empty iff L(G') is empty. First, we replace 
every terminal symbol of G by a variable generating w 2 , and 
then we add a new production 5" — > S1SS3, where S is the 
axiom of G, and Si, S3 are variables generating 11)1,11)3. ■ 

VII. Applications to Verification 

In this section, we show MHPDAs are expressive enough to 
capture several automata-theoretic models. More surprisingly, 
we show that MHPDA are an elegant solution to find optimal 



complexity results as well. As an appetizer consider the non 
emptiness problem for the intersection of k context free 
languages and a bounded expression w. In [12], the authors 
show that this problem is in NP, and use it to show that 
assertion checking of multithreaded programs communicating 
through shared memory is in NP as well. To show that this 
result is subsumed by ours, proceed as follows. First, compute 
in polynomial time 1-HPDAs {-Mj} i6 r 1 fc ] recognizing the 
context-free languages. Then, use Thm. 3 to compute in 
0(k ■ maxj(|Mi|) • \w\ 3 ) time a formula ^ such that ^ is 
satisfiable iff the intersection of k CFLs and w is non empty. 
Conclude that the problem is in NP. 

In the next two sections we prove that the control-state 
reachability problem for recursive counter machines (CM) and 
communicating finite-state machines (CFSM) modulo bounded 
expressions also reduces to bounded emptiness of MHPDA, 
and use this to prove that both problems are NP-complete. 

VIII. Recursive Counter Machines 

Let k > 1. A recursive counter machine (CM) is a tuple 
(S, T,C,T, So) where S is a non-empty finite set of control 
states; T is a stack alphabet with a distinguished bottom stack 
symbol _L; C — {ci,...,Cfe} is a finite set of k counters; 
so E S is the initial control state; and T is a finite set of 
transitions of the form (a, 7) ^§ (P,v), where a,/3 E S, 
7 E r, v E T*, and op E {inQ, deQ, zerotestj},- e rj fe i is one 
of the counter operations increment, decrement, or test for 
zero of Cj E C respectively. 

A configuration (s,w,vi, . . . ,Vk) E S x V* x N fe consists 
of a control state s, a stack content w, and a valuation of 
the counters. The initial configuration is Co = (so,-L,0). 
Let i be a transition (0,7) — I [P, v). We say that a con- 
figuration c' = (s' , w', v[, . . . , v' k ) is a flow t-successor of 
c = (s,w, Vi, . . . , Ufe), denoted by c F t c', if s = a, s' = f3, 
id = ju and id' = vu for some u E T*. We say that 
c' is a t-successor of c, denoted by c R t c', if c F t c' and 
either op = inq and (v[, . . . , v' k ) — (vi, . . . , Vk) + e,, 
or op = deQ and (v[,...,v' k ) = (vi, . . . , v k ) - e u or 
op = zerotesti and Vi = and (v'±, . . . , v' k ) — (vi, . . . , v k )- 
Given a sequence tt E T*, we define F(tt) recursively as 
follows: F(e) is the identity relation over configurations, and 
F(ir' -t) — F(ir') ° F t , where ° denotes join of relations. Given 
L C T*, we define F(L) = [j^ F(ir). We define R(ir) and 
R(L) analogously. The set of configurations reachable through 
L is post[L] = {c I c R{L) c}. 

The control reachability problem for CM asks, given a 
control state sj, whether post[T*] contains a configuration 
with control state Sf. The problem is undecidable even for 
non-recursive counter machines [27]. 

Given a bounded expression w over the alphabet T of 
transitions, the control reachability problem modulo w is 
the question whether post [to] contains a configuration with 
control state Sf. We show that this problem is NP-complete 
by means of a reduction to the bounded emptiness problem 
for sequential MHPDAs. 
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Fig. 3. The 1-HPDA over alphabet {+, 0}. 



A. Encoding Counter Machines 

Fix a CM (5, T,C, T, So) with fc counters and a bounded 
expression w over T. We construct k + 1 1-HPDAs such that 
7r e T* is accepted by all the 1-HPDA iff post[7r] contains a 
configuration with st as control state. (Following Prop. 4, we 
can then construct an equivalent (k + 1)-HPDA if we wish.) 

The first PDA Pq checks whether Co F(tt) c holds for some 
configuration c having s/ as control state. Since for each 
transition t of the CM the relation F t exactly corresponds 
to the relation induced by the productions of a pushdown 
automaton, the construction of P is straightforward, and we 
omit the details. 

A word 7r accepted by Po is consistent with the control 
flow of the CM, but might not be feasible {ir may zero-test a 
counter whose value is not 0, or decrement a counter whose 
value is 0). Feasibility is checked by PDAs Pi, . . . , P^. More 
precisely, Pj checks that the projection of 7r onto the operations 
of Ci is feasible. We first describe a generic PDA Py over 
the alphabet {+,—,0}, where "+" encodes increment, "— " 
decrement, and "0" a zero-test, as a template that can be 
instantiated to generate Pi, .... Pf.. 

Py is shown in Fig. 3. It uses its stack as a counter. The 
stack alphabet is {_L, a}. When P^j reads a + (a — ), it pushes 
an a into (pops an a from) the stack, and when it reads 0, 
it checks that the top element is the end-of-stack marker _L 
([0),_L/_L). Now, Pi is a suitably modified version which, 
when reading a letter t = (a, 7) — > ((3,w), acts according 
to the operation op: if op = inQ (deQ, zerotestj), then t is 
treated as + (— , 0). If op does not operate on the z-the counter, 
then control ignores t. 

Applying Thm. 3, we get: 

Theorem 6: Given a CM A — (5, T, C, T, s ) with k 
counters, a control state Sf € S, and a bounded expression w 
over T, there is a computable formula <&a,s s of existential 
Presburger arithmetic of size 0(k ■ \A\ 3 ■ \w\ 3 ) such that 
post [to] contains a configuration with state Sf iff <&A,sr is 
satisfiable. As a consequence, the bounded control reachability 
problem for recursive counter machines is in NP. 

NP-hardness holds even for non-recursive counter machines 
(this result has been communicated to us by S. Demri, but 
for completeness a proof can be found in the Appendix), and 
therefore the bound of Thm. 6 is optimal. 

A similar construction can be used to simulate recursive 
machines with fc-auxiliary stacks. 
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Fig. 4. The 2-HPDA where S = {ai, . . . , a n }, 



IX. Communicating Finite State Machines 

Let k > 1. A communicating finite state machines (CFSM) 
is a tuple (S, K, E, 7", sq) where S is a non-empty finite set of 
control states; K = {C\, . . . ,Ck} is a finite set of unbounded 
FIFO channels; E is a non-empty finite set of messages; sq € 
S is the initial control state; and T is a finite set of transitions. 
Each transition t E T is given by a triple (a t , op t ,f3 t ) where 
ottiPt G S and op t is the channel operation: either la: Ci, 
which writes message a G E to channel Ci or la: Cj, which 
reads message a £ E from channel Cj. A configuration is a 
tuple (s, xi, . . . , Xfe) € Sx [E*] fe containing a control state and 
the content of each channel Cj E K. The initial configuration 
is c = (s , e,..., e). 

Given t = (a,op,f3) E T, we define the relations F t 
and R t over configurations as follows: (s,Xi, . . . ,x^) F t 
(s 1 , x[, . . . , x' k ) iff a t = s and f3 t = s', and (s, X\, . . . , x^) Rt 
(s' , x'i, . . . , x' k ) iff s — a, s' = f3, and for all i E [1, k] either 
Xi — a ■ x'^ and op t —?a: Ci, x\—Xi-a and op t —la: Ci, or 
x\ = Xi otherwise. 

F(L), R(L), post[i], the control reachability problem and 
the control reachability problem modulo a bounded expression 
for CFSMs are defined as for CM. The reachability problem 
for CFSM is undecidable [28]. 

A. Encoding Communicating Machines 

We proceed as for recursive counter machines. Given a 
CFSM with k channels, we construct a finite automaton Pq 
and k 2-HPDAs Pi, . . . , Pf. such that n E T* is accepted by 
all of Pq, ... , Pfe iff post[7r] contains a configuration with Sf 
as control state. Again, P checks whether c F(tt) c holds for 
some configuration c having Sf as control state, and Pi to Pt 
check feasibility of n. In the case of CFSM, feasibility means 
that the contents of the channels after taking a transition t are 
the ones given by R(t). 

Pq is even simpler as for CM, since there is no recursion. 4 

4 Our results also hold for recursive CFSM, but since this model is rather 
artificial we refrain from describing it. 



Pi checks feasibility of tt with respect to the i-th channel. 
As in the case of CM, we define a generic 2-HPDA P/, 
depicted in Fig. 4, that checks consistency for a channel C. 

For convenience the heads of Py are named h and H. The 
stack alphabet is {_L, a}, where _L is, as above, a special end- 
of-stack marker. Py works as follows. In state qrr, head H 
reads symbols {\<ii \ i 6 to channel C until a symbol 

?<7j for some i £ or $ is read . When ?<jj is read, 

control jumps to q\. In head h looks for the first symbol 
{\<Ji | i € [1,^]}- If it is !(Tj (which corresponds to ?<7j) then 
control returns to qn- Intuitively, if a symbol is read from 
channel C it must have been written previously. Observe that 
the stack ensures ensure that h does not move beyond H. 
In fact, in every reachable configuration not in state qf, P/ 
maintains the invariant that the number of symbols between 
H and h coincides with the number of a's on the stack. For 
instance for tapes (th,tff) where 

th =!(Ti#!cr2?cri?cr2& 

the stack content is given by _La 3 . Because of the invariant, 
head H will be the first to read $ in which case the control is 
updated to qj. Hence transitions read anything until with head 
h until it falls down the tape. 

We can now apply Thm. 3 again. In this case, the members 
of our family of MHPDAs have at most 2 heads, i.e., c = 2. 

Theorem 7: Given a CFSM A = (S, K, S, T, Sq) with k 
channels, a control state St G S, and a bounded expression 
w over T, there is a computable formula &A,s f of existential 
Presburger arithmetic of size 0(k ■ \A\ 3 ■ \w\ 6 ) such that 
post [to] contains a configuration with state Sf iff &A,st w 
satisfiable. As a consequence, the bounded control reachability 
problem for CFSM is NP. 

Again, we can prove that NP -hardness holds for CFSM, and 
therefore that our bound is optimal. The proof is in Appendix. 

Finally, let us observe that the above reduction can be 
extended so as to handle machines where transitions are 
either counter operations or channel operations, i.e. (S, T, C U 
K, T, So). The construction of P is as for CM. Then, for each 
auxiliary storage S € C U K , it suffices to use the adequate 
MHPDA (for counter or channel) checking for feasibility of 
a sequence of operations on S. Again, we can show an NP 
upper bound for the bounded control reachability problem. 

X. Conclusions 

We have introduced verification modulo a class of lan- 
guages, which formalizes the common practice, for efficiency 
reasons, of checking only a subset of the behaviours of a 
system. This leads to the notion of a perfect computational 
model J\4 modulo a class of behaviours C. We have presented 
a perfect model for the class of bounded expressions: multi- 
head pushdown automata (MHPDA). We have determined 
the complexity of the emptiness problem, shown that many 
popular modelling formalisms can be easily compiled into 
MHPDA, and proved that the compilation leads to verification 
algorithms of optimal complexity. 



There are two interesting open problems. The first one is 
to search for more expressive perfect models modulo bounded 
expressions. The second is to determine whether our bounds 
relating the sizes of two MHPDAs accepting a bounded 
language and its bounded complement are tight. 
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Appendix 
Missing Proofs 

A. Proposition 4 



The emptiness problem for MHPDAs modulo 
an arbitrary bounded expression is in coNEX- 
PTIME. Moreover, the emptiness problem for 
MHPDAs and i) = (01)* is coNEXPTIME-hard. 



Proof of Prop. 4: Membership in coNEXPTIME follows 
immediately from Thm. 2 and the fact that satisfiability of 
existential Presburger formulas is in NP [29]. 

For the hardness part, we reduce from 0-1 Succinct Knap- 
sack. 

Input: Boolean circuit 8 with k+n variables (k, n > 
given in unary). The circuit represents 2 k numbers 
clq, ■ ■ ■ , a 2 fe_i, each with 2" bits in binary, as fol- 
lows. The ith bit of the binary representation of a,j 
is x € {0, 1} if the circuit 9 on input bin k (j), bin n (i) 
evaluates to x, for i e [0, 2" - 1], j £ [0, 2 fc - 1], 
where bin a ([3) is the binary representation of /? 
using a bits. 

Output: "Yes" if there exist Zi,..., z 2 k_ x € {0, 1} 
such that a = ^2 i=1 a-iZi, "No" otherwise. 

Given an instance of the 0-1 Succinct Knapsack problem, we 
construct in polynomial time a MHPDA that accepts a string of 
the form (01)* iff the 0-1 Succinct Knapsack problem answers 
"Yes." 

The idea of the proof is to use d heads of a MHPDA and 
the bounded expression (01)* to encode 2 d states, and to use 
the stack to compute up to 2 2 . The MHPDA use two heads, 
one to track ao and one to track the sum on the r.h.s. If these 
heads point to the same location at the end, we accept. Note 
that we cannot directly check if two heads are pointing to the 
same location. However, we can alternately move the heads to 
the right (by reading) and check that they hit the end marker 
at the same time. 

We start with some preliminary constructions. We use d 
heads hi,. . . ,h<i to encode a d-bit configuration b € {0, l} d : 
to encode 6, we make sure that head hi is pointing to bit 6,; 
on the tape. For b € {0, l} rf , we write bi for the ith bit of b. 
With this representation, we denote by fa d-bit binary number 
given by the symbols under the heads hi, . . . , hg. Also, we 
denote by [fa] the number that is represented. 

Given a constant c e {0, l} d , we can check that the current 
store encodes c without destroying the current encoding as 
follows. First, observe that the bounded expression (01)* 
ensures that by reading twice from any head, the head points 
to the same bit as it was pointing to before the two reads (for 
a long enough string). For i = 1, . . . , d, read twice with hi 
and remember the first value, say x, that is read. Then check 
that x = Ci. If not, we go to a state signifying that the current 
configuration is not storing c, otherwise we continue the next 
iteration of the loop. At the end of the loop, we go to a state 



that signifies that the current encoding is equal to c. The stack 
is not touched. 

Given heads hi,...,hd, we can "reset" the encoding to 
a specific c g {0, l} d (noted fa <— c) as follows. For i = 
l,...,d, read with hi and let x be the value read. If x = Ci, 
then again read with h t ; else do nothing (because after the 
read with hi, it points to Cj). The stack is not touched. 

Given heads hi, . . . ,hd and h[, . . . , h' d , we can "copy" the 
encoding of the his to h^s (fa' <— fa) as follows. For i = 
l,...,d, we execute the following. Read twice with h t and 
remember the first value, say x, that is read. Now read with 
h' it if the value read equals x then read again; else do nothing. 
At the end of updating the d heads we have that fa' equals fa. 
The stack is not touched. 

Given the binary number h, h ^ l d , we show how to add 
one to the number such that the resulting fa encodes [fa] + 1. 
Read with hi, if the symbol read is then we are done (hi 
points to 1); else (hi points to 0) do the following: read with 
h 2 , if the symbol read is (hi points to 1) then we are done. 
In general, if hi points to zero (and all hi, ... , point to 
l's), read with each head hi, . . . ,hi. We can similarly subtract 
one from the number h, h ^ d , by replacing zero with one 
in the above construction. In both constructions, the stack is 
not touched. 

Finally, suppose we have heads ho, ... , hd, a head H, and 
2 d bits C1C2 . . . c 2 d on the stack. Let C be the number with 
binary representation c 2 d . . . c\. We show how the head H can 
be moved C times to the right, using the heads ho, . . . , h^. 
Note that C can be as large as 2 2 — 1, so we cannot directly 
store C using poly(d) heads. Instead, we use the d heads to 
count the position in the stack, and perform binary arithmetic 
on the number in the stack. We execute the following program. 

M <- 2 d 

1: while [fa] ^ and top of stack is { 
pop; 

[fa] <- [fa] - 1; 

} 

if [fa] = { 

exit; /* H has now moved C times */ 
} else { /* top of stack is necessarily 1 */ 

pop 1; push 0; read with H; 

while [fa] ^ 2 d { 
push 1; 

[fa] <- [fa] + 1; 

} 

} 

goto 1; 

Using the constructions above, the program can be imple- 
mented by an MHPDA of size polynomial in d. We call this 
procedure MoveRight(H). 

We now show how to evaluate the circuit 9. W.l.o.g., we 
assume that 9 is given as pi(n + k) layers, each layer has 
P2(n + k) binary gates, for polynomials pi and p 2 . We use 
k + n +pi (k + n)p 2 (k + n) heads. The inputs are copied into 



k + n heads. Then, we evaluate the value of each gate, starting 
at the lowest layer, and store it into the head representing that 
gate. To evaluate the gate, we look at the values encoded by 
the heads representing its inputs, and evaluate the Boolean 
function for the gate. The stack is untouched in the evaluation. 
Thus, circuit evaluation can be performed by an MHPDA 
(indeed, a multi-head finite automaton) using polynomially 
many (in k + n) heads. 

Now we come to the main construction. The MHPDA has 
the following heads: 

• a head Ao to track ao, a head SUM to track the r.h.s. 

• k heads K\ , . . . , Kk to track the indices of the numbers 
ao, ■ ■ ■ , a 2 fc_i; 

• m heads Mi , . . . , M m to track the 2 m bits of each 
number; 

• m + 1 heads Ho , . . . , H m to implement procedure 
MoveRight above; 

• additional heads (polynomial in k + n) to evaluate circuit 
6. 

Initially, each head points to a 0, in particular, K = k . The 
MHPDA works in the following phases. 

In the first phase, we initialize M to l m and then run the 
following iteratively. We evaluate 8 on the input K; M (by 
copying K\, . . . , Kk, M\, . . . , M m on to the circuit inputs and 
then evaluating the circuit), and push the evaluated value on 
to the stack. If M = m we move to the next phase of the 
construction. Otherwise, we subtract 1 from [Af] and repeat 
the evaluation. 

At the end of the above loop, we have 2 m bits, representing 
the number ao stored on the stack (least significant bit on top). 
We now invoke MoveRight(Ao), which will move head Aq 
of ao times to the right. 

Then comes the phase of guessing and summing a subset 
of {ai, . . . , a 2 fc_i} to compare the resulting value against ao. 
First we set {Kj to 1. For {Kj = 1 to 2 k - 1, do the following 
loop. We guess if zjjq is zero or one, using the finite state 
of the automaton. If Ztfn is guessed to be zero, we continue 
with the next iteration of the loop. Otherwise, we initialize M 
to l m , and iteratively evaluate 9 on K; M for each M from 
l m to m , and push each evaluated bit on the stack. At the 
end of the process, we have the 2 m bits of ajjq on the stack, 
least significant bit first. We now invoke MoveRight(SUM) 
to move the head SUM artci times to the right. 

At the end of the loop, we have that the head SUM has 

1 

moved 2j<=i z i a i ti mes to the right, where the Zi's are the 
guesses made by the MHPDA. We now check if Aq and SUM 
are pointing to the same tape cell by moving them alternately 
and checking that they read the end marker $ immediately 
one after the other. If so, we read with all heads until they 
fall off the tape and accept. Otherwise, we reject. Note that 
the computations can be performed by a MHPDA that is 
polynomial in the size of the input. 

If the answer to the 0-1 Succinct Knapsack instance is 
"Yes," then there is a sequence of guesses, and a string in 
(01)* that is sufficiently long to perform all the computations, 



such that the MHPDA accepts. However, if the answer is "No" 
then the language of the automaton is empty. 

Thus, given a MHPDA M, and the fixed bounded ex- 
pression (01)*, checking if L(M) n (01)* is empty is 
coNEXPTIME-hard. ■ 

B. Proposition 6 



Given a d-HPDA A and a letter-bounded expression b = 
b\... b* n , there is an MHPDA B such that L(B) =b\ L(A) 
and \B\ is at most doubly exponential in \A\, \b\. 



Proof of Prop. 6: The complementation procedure fol- 
lows these steps: 

• Compute the family {^i(x%, . . . , a; n )}^ =1 of existential 
Presburger formulas of Prop. 3, each of them of size 
p(\A\ ■_ |6|) for a suitable polynomial p. Recall that 
a = dW d . 

• Compute quantifier-free formulas $j = -i^j with con- 
stants in unary of size |3>»| € 2exp{0(\^i\)). By Prop. 3 
we have &£* . . . ifr G (b\L(A)) iff Y/f =1 • • . , K) 
is false iff Af=i ^i(^i> • ■ • , k n ) is true. 

• Construct for every formula a MHPDA Bi of size 
0(&i) as in Prop. 5. 

. Let B be a MHPDA accepting f|" =1 L(Bi), which exists 
by Prop. 4. We have 

\B\eO(J2ti\m 
eO(E?=il*il) 

G d nd ■ 2exp(p'(\A\ ■ n)) 
= 2exp(p"(\A\ ■ n)) 

for suitable polynomials p' ,p". 

m 

C. NP-hardness of control state reachability modulo bounded 
expressions for Counter Machines 

Proof: We reduce from 3SAT. Given a 3SAT formula 
Cx A ... A Cm over variables x%, . . . , x n , we construct a CM 
with counters {t Xi ,f Xi | i G [l,n]}U{cj | i G [l,m]}. We use 
a gadget to assign values to variables and a gadget to check 
that a clause is satisfied by the current assignment to variables. 
Fig. 5 shows the gadgets. 

For each variable x in the formula, we keep two counters t x 
and f x . The variable gadget (top of Fig. 5) ensures that when 
control reaches q%, then either t x = 1 and f x = Q (encoding 
that x is true) or t x — and f x = 1 (encoding that x is false), 
depending on whether the loop is executed one or zero times, 
respectively. Note that the loop can be executed at most once: 
the second iteration gets stuck decrementing f x . 

The clause gadget (bottom of Fig. 5) shows how we check 
that a clause c = x\ V ^x-i V £3 is satisfied. The gadget keeps 
a "control" counter c. The first loop checks that f Xl = (i.e., 
t Xl = 1, and x% is set to true) and increments c. The second 
loop checks that t X2 — (i.e., f Xl — 1, and X2 is set to 



false) and increments c. The third loop checks that f X3 = 
(i.e., t X3 = 1, and 2:3 is set to true) and increments c. Each 
loop can be executed any number of times. At the end, the 
decrement succeeds only when at least one iteration of a loop 
has executed, which indicates that c is satisfied. Note that if c 
is not satisfied, control cannot reach the last location r 3 : either 
one of the tests in the loops get stuck, or the decrement at the 
end gets stuck. 

For the reduction, we sequentially compose gadgets for all 
the variables and then all the clauses and ask if the control 
state at the end of the last clause can be reached. Clearly, paths 
of the automaton conform to a bounded expression. ■ 

D. NF '-hardness of control state reachability modulo bounded 
expressions for CFSM 

Proof: We reduce from 3SAT. Given a 3SAT formula 
Ci A ... A Cm over variables x\ , . . . , x n , we construct a CFSM 
with channels {xi,Xi \ i € [l,n]}U{c i | i e [l,m]}. There are 
two messages: and 1. The channel xi is used to keep a guess 
for the variable Xi. The channel Xi is a "control channel" used 
to ensure only one guess is made. The control flow graph of the 
CFSM consists of gadgets selecting a value for each variable 
and gadgets checking that each clause is satisfied. 

The gadget for variables is shown on the top of Fig. 6. The 
gadget first puts a single message into the control channel 
Xi. It then defines two loops. The first puts in the channel 
Xi (thereby guessing Xi is false) and flips the control channel 
by dequeueing the and enqueueing a 1. The second puts 1 
in the channel Xi (thereby guessing that x t is true) and flips 
the control channel as before. Finally, the edge from (72 to q$ 
dequeues a 1 from the control channel. 

By the use of the control channel, we note that any execution 
that reaches g 3 must execute exactly one loop, exactly one 
time. When control reaches q 3 , the control channel Xi is empty, 
and the channel Xi is either or 1. 

The gadget for clauses is shown in the bottom of Fig. 6, 
for the particular clause c = (x\ V ^xi V x 3 ) (the general case 
is immediate). The gadget for the clause has three loops, one 
for each literal in the clause. Each loop checks if the value 
guessed for the variable matches the literal (i.e., the clause is 
satisfied). If so, a message is added to the channel c. At the end 
of the three loops (edge T2 to r 3 ), we check that the control 
channel c has at least one message. By construction, control 
can reach r 3 only when the current guess for the variables 
satisfies the clause. Moreover, the channels xi are unchanged. 

The CFSM sequentially composes the variable gadgets and 
the clause gadgets, and checks if control can reach the last 
node of the last clause gadget. Clearly, paths of the automaton 
conform to a bounded expression. ■ 



inc(t x ); 




zerotest(/ xl ); zerotest(t X2 ); zerotest(/ X3 ); 

inc(c) inc(c) inc(c) 




Fig. 5. Reduction for CMs. The top gadget shows variable assignment. The bottom gadget shows the checks for a clause c = x\\J -1x2 V X3. 




Fig. 6. Reduction for CFSMs. The top gadget shows variable selection. The bottom gadget shows the checks for a clause xi V -1X2 V X3. 



